[Bug 1743] Flowtable: Flows exiting OFFLOAD State being assigned value of nf_conntrack_tcp_timeout_unacknowledged
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu May 2 09:36:32 CEST 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1743
--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Hi,
flowtable PPPoE was broken in software mode.
The flow entry was created in the flowtable, but it did not match. That is,
listing with conntrack -L shows an entry with the OFFLOAD flag but it was never
match, but you still see packets hitting the forward chain which is not
correct. Once flowtable fast path is set up, packets are seen at ingress and
egress hooks.
Basically, PPPoE encapsulated packets were pushed back to classic path because
the tuple was not correctly set up, only one direction of the flow followed the
fast path.
I managed to reproduce this in a small testbed with a PPPoE server/client,
hence the fix I posted.
I have a more permanent testbed to test PPPoE, it would be good to integrate
this into a script that can run in nftables tests/shell with containers to make
sure this does not break again in the future, I have to look into this.
Please, note that this patch is also convenient to have for those that require
PPPoE:
From: Pablo Neira Ayuso <pablo at netfilter.org>
[ Upstream commit 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf ]
Ensure there is sufficient room to access the protocol field of the
PPPoe header. Validate it once before the flowtable lookup, then use a
helper function to access protocol field.
Reported-by: syzbot+b6f07e1c07ef40199081 at syzkaller.appspotmail.com
Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support")
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Sasha Levin <sashal at kernel.org>
These two patches has been enqueued to -stable kernels.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240502/8ff96a71/attachment.html>
More information about the netfilter-buglog
mailing list